SPF Record Checker

Check SPF DNS records for domains to verify email sending authorization.

What does SPF Record Checker do?

SPF Record Checker queries DNS TXT records for v=spf1 entries and parses them into structured data. It extracts all SPF mechanisms (include, ip4, ip6, a, mx), the default qualifier (pass, fail, softfail, neutral), redirect domains, included domains, IP ranges, and the DNS lookup count. It also checks whether the record exceeds the 10-lookup limit defined in the SPF specification (RFC 7208).

Use it for email deliverability auditing, security validation, DNS lookup monitoring, or verifying SPF setup before launching email campaigns. The structured output makes it easy to identify overly permissive policies, count DNS lookups, and verify that all authorized senders are included.

Use cases

• Email administrators verifying that SPF records correctly authorize all legitimate sending services
• Deliverability consultants auditing SPF configuration across client domains to improve inbox placement
• Security teams checking that SPF records use strict qualifiers (-all) to prevent unauthorized email sending
• DevOps engineers monitoring SPF DNS lookup counts to ensure records stay under the 10-lookup limit
• Marketing operations validating SPF setup before onboarding a new email service provider

Why use SPF Record Checker?

• Deep SPF parsing — extracts every mechanism, qualifier, include, IP range, and redirect
• Lookup count tracking — reports the number of DNS lookups in the SPF chain, helping you stay under the 10-lookup limit
• Qualifier analysis — identifies the all qualifier (pass, fail, softfail, neutral) to assess policy strictness
• Batch processing — check hundreds of domains in a single run
• Structured output — parsed mechanisms and includes ready for filtering, dashboards, or downstream automation
• Pay-per-event pricing — costs scale with actual usage, just $0.001 per domain checked
• IP range extraction — separately lists authorized IPv4 and IPv6 ranges for network-level analysis

Input parameters

Parameter	Type	Required	Default	Description
domains	string[]	Yes	—	List of domains to check for SPF records. Enter bare domain names (e.g., google.com).

Example input

{
    "domains": ["google.com", "github.com", "example.com"]
}

Output example

Each domain produces one result object with the SPF record presence, parsed mechanisms, includes, IP ranges, qualifier, redirect domain, and DNS lookup count.

Field	Description
domain	The queried domain name
hasSpf	Whether an SPF record was found
record	Full raw SPF record text
version	SPF version (always spf1)
mechanisms	Array of parsed mechanisms with qualifier, type, and value
includes	Domains referenced by include: mechanisms
ipv4Ranges	IPv4 address ranges authorized by ip4: mechanisms
ipv6Ranges	IPv6 address ranges authorized by ip6: mechanisms
allQualifier	The all mechanism qualifier (pass, fail, softfail, neutral)
redirectDomain	Domain referenced by the redirect= modifier
lookupCount	Number of DNS lookups in the SPF chain
error	Error message if check failed

{
    "domain": "google.com",
    "hasSpf": true,
    "record": "v=spf1 include:_spf.google.com ~all",
    "version": "spf1",
    "mechanisms": [
        { "qualifier": "+", "mechanism": "include", "value": "_spf.google.com" },
        { "qualifier": "~", "mechanism": "all", "value": null }
    ],
    "includes": ["_spf.google.com"],
    "ipv4Ranges": [],
    "ipv6Ranges": [],
    "allQualifier": "softfail",
    "redirectDomain": null,
    "lookupCount": 1,
    "error": null
}

How much does it cost?

SPF Record Checker uses Apify's pay-per-event pricing:

Event	Price	Description
Start	$0.035	One-time per run
Domain checked	$0.001	Per domain checked

Examples:

• 10 domains: $0.035 + 10 x $0.001 = $0.045
• 100 domains: $0.035 + 100 x $0.001 = $0.135
• 1,000 domains: $0.035 + 1,000 x $0.001 = $1.035

Using the Apify API

The Apify API lets you control SPF Record Checker programmatically. Schedule runs, read datasets, manage webhooks, and more. See the Apify API reference for details.

Node.js

import { ApifyClient } from 'apify-client';

const client = new ApifyClient({ token: '<YOUR_API_TOKEN>' });
const run = await client.actor('automation-lab/spf-record-checker').call({
    domains: ['google.com', 'github.com'],
});
const { items } = await client.dataset(run.defaultDatasetId).listItems();
console.log(items);

Python

from apify_client import ApifyClient

client = ApifyClient('<YOUR_API_TOKEN>')
run = client.actor('automation-lab/spf-record-checker').call(run_input={
    'domains': ['google.com', 'github.com'],
})
items = client.dataset(run['defaultDatasetId']).list_items().items
print(items)

Integrations

Connect SPF Record Checker with other apps and services using Apify integrations. You can integrate with Make, Zapier, Slack, Google Sheets, Google Drive, n8n, and many more. Set up a webhook to receive a Slack alert when an SPF record exceeds the 10-lookup limit or uses a weak +all qualifier, or push results to Google Sheets to track SPF compliance across all your domains.

Tips and best practices

• Watch the lookup count — SPF allows a maximum of 10 DNS lookups; exceeding this limit causes SPF validation to fail (PermError), so monitor lookupCount closely
• Prefer -all over ~all — a hard fail (-all) provides stronger protection than softfail (~all), but make sure all legitimate senders are included first
• Audit after adding services — every time you onboard a new email service (marketing tool, CRM, transactional email), re-check your SPF record to ensure the new include is present and the lookup count is still under 10
• Combine with DMARC Record Checker — SPF alone does not prevent spoofing; use it alongside DMARC for complete email authentication
• Look for redirect vs. include — the redirectDomain field tells you if the SPF record delegates entirely to another domain, which is a different behavior than include

FAQ

What does the allQualifier field mean? The allQualifier indicates what happens to emails that do not match any SPF mechanism. fail (-all) rejects them, softfail (~all) marks them as suspicious, neutral (?all) takes no action, and pass (+all) allows everything (insecure).

What happens when the 10-lookup limit is exceeded? When an SPF record chain requires more than 10 DNS lookups, receiving mail servers return a PermError and SPF validation fails. The lookupCount field helps you detect this before it becomes a deliverability problem.

Can I check SPF records for subdomains? Yes. Enter any subdomain (e.g., mail.example.com) and the actor will check its SPF TXT record. Subdomains can have their own SPF records independent of the parent domain.

What does it mean when hasSpf is false? It means no TXT record containing v=spf1 was found for that domain. Without an SPF record, receiving mail servers cannot verify whether emails sent from your domain are authorized, which may hurt deliverability and leave the domain vulnerable to spoofing.

Can a domain have multiple SPF records? According to the SPF specification (RFC 7208), a domain should have at most one SPF record. Having multiple SPF TXT records is a misconfiguration that can cause validation failures. If multiple records are detected, the actor will report the first one found.